grandeduc - Fotolia

Get started Bring yourself up to speed with our introductory content.

What is the best super-sized cookie denial-of-service attack defense?

Super-sized cookies are behind an innovative new denial-of-service attack. Enterprise threats expert Nick Lewis discusses how to prevent these cookies from getting onto your network.

I read that "super-sized" cookies can be used to complete distributed denial-of-service attacks. How can these types of cookies be detected and stopped from entering my network?

Most denial-of-service (DoS) attacks overwhelm the computing resources or bandwidth of a target system, focusing on the remote site. However, super-sized cookie DoS attacks are different; these types of attacks target a client system that is trying to access specific websites and causes an indirect DoS attack.

Bogdan Calin, CTO of Acunetix, wrote a blog post about the vulnerability or unexpected functionality that makes a website look unavailable to a Web browser. The issue is in the browser side and involves sending malformed cookie data to a Web server after visiting malicious webpages coded with Javascript that creates a significant number of cookies. The malicious cookies are sent when the Web browser sets up a connection with the Web server; more cookie data is sent than what is allowed in the connection setup, so the server closes the connection. In this flaw, the malicious website can only affect other websites using the same domain name; for example, can be used to DoS *, but not *

Two of the key tenets of computer security are to never trust input and always sanitize data received. This goes for data a server is receiving as well as data a client is receiving from a server.

While the malicious cookie data is being rejected by the server correctly, clients should limit the number of cookies being set on a client system by a webpage. Web browsers can be set to allow a website to only send a limited number of cookies and avoid this issue. In the blog, Calin also mentions that cookies could just be cleared in the browser to fix the issue.

Super-sized cookies can be detected a couple different ways, but might be easiest to detect over the network by monitoring HTTP traffic for larger-than-normal data being immediately sent to a Web server to set up a connection. Though it might be reasonable for a large amount of data to be entered into a Web application, it would be unusual for a large amount of data to be sent when setting up a connection.

A host-based intrusion detection system could also be used to identify a website that uses a large number of cookies. It can block the malicious cookies as well, or monitor for error messages from the server to alert that a system might be infected with malicious cookies.

Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Don't miss SearchSecurity's DDoS defense Security School

This was last published in April 2015

Dig Deeper on DDoS attack detection and prevention